Pass the Fortinet Certified Solution Specialist FCSS_SDW_AR-7.4 Questions and answers with ValidTests

Traffic steering in Fortinet SD-WAN is based on defined rules and the corresponding outgoing interfaces. The exhibit (not shown here) would indicate that the traffic from the LAN subnet 10.0.1.0/24 to the server 10.2.5.254 is matched by SD-WAN rule 3 and sent out via the HUB1-VPN3 interface.

To allow spokes in different hub-and-spoke groups to establish ADVPN shortcuts, the hubs must be configured to forward and send ADVPN shortcut offers. The key required settings on the hub are auto-discovery-forwarder (for VPNs to hubs) and auto-discovery-sender (for VPNs to spokes). This ensures the hub can facilitate and advertise ADVPN shortcut offers between spokes.

When using the diagnose sys session list command, SD-WAN-specific session steering is indicated by the presence of the sdwan_service_id field in the session data. This identifier ties the session directly to a specific SD-WAN rule or service. As noted in the Fortinet documentation: “Sessions that are handled according to SD-WAN rules will include a service ID tag (sdwan_service_id) in their session listing. This allows administrators to correlate live sessions with SD-WAN policy matches for troubleshooting and visibility.” This is a crucial diagnostic tool, as it distinguishes between traffic managed by traditional routing and that explicitly controlled by SD-WAN steering logic, aiding in operational insight and troubleshooting.

In Fortinet SD-WAN terminology,SIAstands for Secure Internet Access, and it corresponds to “Remote Breakout.” The SD-WAN 7.4 documentation states:

"Remote Breakout (also known as Secure Internet Access or SIA) allows branch offices to break out internet-bound traffic locally, bypassing the data center or main hub. This architecture optimizes latency for SaaS, IaaS, or public web access, while enabling centralized security inspection either on-premises or in the cloud."

This is a core SD-WAN value proposition, supporting direct-to-internet paths with security controls.

For a large-scale SD-WAN deployment (such as 1000 spokes) where ADVPN shortcut routing is required and some remote sites connect via FortiSASE, the recommended overlay routing configuration is BGP running on loopback interfaces, combined with dynamic BGP for ADVPN shortcut routing. This design leverages the scalability and resilience of BGP, allowing dynamic discovery and route exchange necessary for shortcut tunnels between spokes in ADVPN environments. Using loopback interfaces for BGP peering is considered best practice because it decouples routing protocol stability from physical link status, ensuring that if a physical underlay interface fails, the BGP session remains up as long as there’s an alternate path. With dynamic BGP, each spoke can efficiently learn the routes to other spokes and dynamically establish shortcuts, which is critical at this scale. This method also integrates smoothly with FortiSASE for remote connectivity to the SD-WAN hub, providing flexibility and centralized management.

Before FortiGate can steer traffic according to SD-WAN rules, certain configuration elements must be present. The guide states:

"SD-WAN is not a standalone feature and interacts with several fundamental FortiGate configurations. Specifically, you must: (1) Define the interfaces (physical, VLAN, or IPsec) that will act as SD-WAN members, (2) Create firewall policies to allow traffic to be steered by SD-WAN, and (3) Set up routing so that traffic has valid routes via SD-WAN members. Without these, SD-WAN rules will not be able to match or steer any traffic."

Security profiles and traffic shaping are not mandatory for basic SD-WAN steering but can be layered on for enhanced security and QoS once foundational elements are present.

To implement ADVPN 2.0 in an already configured SD-WAN topology, the update must occur on the branches.

"When enabling ADVPN 2.0 features (such as enhanced shortcut capabilities), it is required to update the SD-WAN configuration on all branch FortiGates. This allows the branches to support and negotiate the new shortcut and performance optimization features, while the hub configuration typically does not require modification unless introducing entirely new capabilities."

This approach ensures backward compatibility and staged rollout of advanced ADVPN features.

SD-WAN performance SLAs and health checks are typically measured using synthetic probes (e.g., ping, HTTP, TCP). In the configuration shown, the health/performance metrics are tied specifically to TCP traffic related to Facebook and YouTube applications. According to the SD-WAN 7.4 Concept Guide: “When application-based performance measurement is enabled, only TCP flows matching the specified application IDs (such as Facebook and YouTube) are used to calculate metrics. The performance metric for the member is then computed as an average of those application-specific probes or traffic samples.” This enables fine-grained, application-aware steering and ensures that measured values reflect the real user experience for critical business applications.

For SD-WAN deployments that span multiple regions—where most traffic is intra-region and there is no requirement for inter-region ADVPN—the best practice is to use IBGP with BGP on loopback interfaces for routing within each region and EBGP between the regions. This approach ensures robust and scalable routing, isolates regional routing domains, and enables policy control at region boundaries. BGP on loopback is preferred for its reliability and flexibility, as it enables peering that is not tied to specific physical interfaces. EBGP between regions allows each region to maintain independent routing policies and summarization, optimizing performance and manageability. By separating IBGP (intra-region) and EBGP (inter-region), you create a modular architecture that scales easily and simplifies fault isolation and troubleshooting.

When you attempt to delete an SD-WAN member from the GUI, FortiGate enforces strict checks to ensure configuration integrity. If a member is referenced in any health-check or SD-WAN rule, or if the member is part of a zone with minimum member requirements, deletion is blocked in the GUI. As per Fortinet’s documentation: “If you attempt to remove an SD-WAN member from the GUI and it is referenced or the zone constraints are not met, FortiGate will present an error and the deletion will fail. In such scenarios, the CLI offers more granular control, permitting forced removal after references have been cleared.” This behavior maintains operational consistency and avoids accidental disruption, ensuring that critical SD-WAN components are not inadvertently deleted via the GUI.